registry  /  @central-icons-qwik/round-outlined-radius-0-stroke-1.5  /  1.1.293

@central-icons-qwik/round-outlined-radius-0-stroke-1.5@1.1.293

A collection of round outlined Qwik icons with 0px radius and 1.5px stroke width, designed for use in Qwik applications.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Install runs a package-owned license check that contacts centralicons.com with CENTRAL_LICENSE_KEY if present. This is a package-aligned license gate, not a confirmed malicious payload.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install preinstall hook; runtime import renders static icon components
Impact
Potential disclosure of the package-specific license key to the vendor endpoint; no observed credential harvesting beyond that, persistence, destructive action, or remote code execution
Mechanism
license validation POST plus static Qwik icon exports
Rationale
The install-time network behavior is real, but it is limited to vendor license validation using a package-specific CENTRAL_LICENSE_KEY and does not execute remote code or collect unrelated secrets. The library contents are static Qwik icon exports, and scanner hits such as SecretPhrase/Password/CryptoWallet are icon names rather than credential access.
Evidence
package.jsonlicense-check.jsindex.mjsIconAgenticCoding/index.mjsIconSecretPhrase/index.mjsIconPassword/index.mjsIconCryptoWallet/index.mjs
Network endpoints1
centralicons.com/license/check

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines preinstall: node ./license-check.js
  • license-check.js reads CENTRAL_LICENSE_KEY and POSTs it as Authorization to https://centralicons.com/license/check
Evidence against
  • license-check.js only uses a package-specific license env var and package/version metadata
  • Network endpoint is package-aligned with homepage/author branding, not an unrelated host
  • index.mjs is a static barrel exporting icon modules
  • Sample icon modules export Qwik SVG components with no runtime side effects beyond rendering
  • No child_process, shell, fs mutation, eval/vm, dynamic require/import, persistence, or AI-agent control writes found
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 2,074 file(s), 4.11 MB of source, external domains: centralicons.com, www.w3.org

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High2 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License